Facebook suffers a data breach about how it’s hoping to stop the media talking about its last data breach

Facebook suffers a data breach about how it’s hoping to stop the media talking about its last data breach

Facebook suffers a data breach about how it's hoping to stop the media talking about its last data breach

Oh dear. Facebook has suffered another data breach.

Hot on the heels of the revelation that the phone numbers and personal data of half a billion Facebook users had been leaked online, the social network has goofed again.

But this time it’s Facebook’s PR team rather than its users who have been left exposed.

EmailSign up to our newsletter
Security news, advice, and tips.

Someone in Facebook’s EMEA Communications team seems to have accidentally forwarded an internal email to… a journalist covering the story of the Facebook data breach.

Part of the redacted email sent by Facebook to a journalist
Part of the redacted email sent by Facebook to a journalist. Source: Data News.

My guess is that a Facebook employee attempted to forward the internal communication to a colleague, and their email client accidentally auto-completed the recipient’s name to be that of an external journalist. Oops!

What makes matters worse for Facebook, is that the email reveals the company’s strategy for handling questions about the exposure of 533 million users’ data, painting the problem as an issue for the whole technology industry.

Belgian journalist Pieterjan Van Leemputten was the recipient of the accidental email from Facebook on 8 April, as he describes in an article on Data News.

Part of the accidentally-sent email reviews the media coverage that Facebook has already received from the breach:

OVERALL COVERAGE: Publications have offered more critical takes of Facebook’s response framing it as evasive, a deflection of blame and absent of an apology for the users impacted. These pieces are often driven by quotes from data experts or regulators, keen on criticizing the company’s response as insufficient or framing the company’s assertion that the information was already public as misleading. With regulators fully zeroed in on the issue, expect the steady drumbeat of criticism to continue in the press. However, it is important to note that both media coverage and social conversation continues to gradually decline from its peak over the weekend on Monday.

In other words – hunker down, the media will stop writing about it, and the storm will pass.

Facebook’s communications team says it’s not planning to comment further on the breach as long as the media coverage continues to decline.

However, the social network says it is going to be revealing more data-scraping incidents in an attempt to normalise the issue as an industry issue

LONG TERM STRATEGY: Assuming press volume continues to decline, we’re not planning additional statements on this issue. Longer term, though, we expect more scraping incidents, and think it’s important to both frame this as a broad industry issue and normalize the fact that this activity happens regularly. To do this, the team is proposing a follow-up post in the next several weeks that talks more broadly about our anti-scraping work and provides more transparency around the amount of work we’re doing in this area. While this may reflect a significant volume of scraping activity, we hope this will help to normalize the fact that this activity is ongoing and avoid criticism that we aren’t being transparent about particular incidents.

To be clear, Facebook said that the problem was initially discovered and resolved in August 2019. But at least one researcher says that he first warned Facebook that the potential problem back in 2017.

Facebook has tried to downplay the incident, and pitched it as an industry-wide issue. But their arguments are unconvincing, and their failure to acknowledge that they failed to properly fix the problem in the past is telling us loud and clear about their transparency and openness.

Facebook knew there was a problem, and failed to do anything until half a billion users’ details were released. And even now it still hasn’t contacted affected users.

There’s only one way we’re likely to get answers (and, heaven forbid, an actual apology) from Facebook is if we keep talking about it.


If you’re thinking of leaving Facebook, why not listen to this “Smashing Security” podcast we recorded:

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.

Follow him on Twitter at @gcluley, or drop him an email.

Leave a Reply

Your email address will not be published. Required fields are marked *